[Snort-users] stream5 tcp session without 3-say handshake overload

Joel Esler (jesler) jesler at ...589...
Tue Aug 12 19:51:49 EDT 2014

I think what you want is: "http://manual.snort.org/node206.html”

Joel Esler
Open Source Manager
Threat Intelligence Team Lead

> On Aug 12, 2014, at 4:08 PM, Robert Millott <robm at ...16885...> wrote:
> All
>   I am getting so many alerts in my logs it fill up /var/log/message and shut down snort.  The alert I see most is
> stream5: TCP session without 3-way handshake.
> I googled it, and everything I find on the "Check_session_hijacking" says "The default is set to off".  I am not sure why I am getting all these alert if the default is to off, but more importantly, how do I actually disable it?  
>   I am fairly sure I know why I am getting them, and that will take a longer time to fix, so I just need to disable this alert.  My snort.conf does not have anything about session_hijacking in it, so I"m not sure If I just need to add a line to disable it or what.
> Details:
> Gentoo 3.14.4
> Snort GRE (build 47)
> Barnyard: 2.1.13 (build 327)
> snort is outputting to /var/log/snort.u2 which barnyard is reading and writing to /var/log/messages
> snort.conf:  output unified2: filename snort1.u2, limit 128
> barnyard.conf :  output log_syslog_full: sensor_name xxxxxxx, local, log_priority log_alert, operation_mode default
> Any help would be greatly appreciated
> -- 
> Robert Millott
> President, Millott and Associates
> (443) 255-3588
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list